[Emerging-Sigs] Jorik FakeAV sig

Martin Holste mcholste at gmail.com
Thu Oct 27 15:36:26 EDT 2011


I can confirm that the URI has been in place on many different DNS
hosts for at least a month.  We've been finding these via the
Blackhole exploit sigs, but this sig should be solid.

On Thu, Oct 27, 2011 at 1:50 PM, Packet Hack <pckthck at gmail.com> wrote:
> Seeing this in conjunction with some other FakeAV traffic:
>
>  GET /britix/a HTTP/1.1
>  Accept: */*
>  Accept-Language: en
>  User-Agent: Internet Explorer
>  Host: open-994233.com
>  Connection: Keep-Alive
>
> QND rule:
>
> alert tcp $EXTERNAL_NET  any -> $HOME_NET $HTTP_PORTS (msg:"UFOISC
> Jorik FakeAV GET"; flow:established,to_server;  content:"GET /britix/a
> HTTP/1.1"; fast_pattern:only; sid:9100560; rev:1;)
>
> -- pckthck
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>


More information about the Emerging-sigs mailing list